Debian LTS: DLA-1872-1: python-django security update

    Date06 Aug 2019
    CategoryDebian LTS
    642
    Posted ByLinuxSecurity Advisories
    It was discovered that there were two vulnerabilities in the Django web development framework: * CVE-2019-14232: Prevent a possible denial-of-service in
    
    Package        : python-django
    Version        : 1.7.11-1+deb8u7
    CVE IDs        : CVE-2019-14232 CVE-2019-14233
    Debian Bug     : #934026
    
    It was discovered that there were two vulnerabilities in the
    Django web development framework:
    
      * CVE-2019-14232: Prevent a possible denial-of-service in
        django.utils.text.Truncator.
    
        If django.utils.text.Truncator's chars() and words() methods were
        passed the html=True argument, they were extremely slow to
        evaluate certain inputs due to a catastrophic backtracking
        vulnerability in a regular expression.  The chars() and words()
        methods are used to implement the truncatechars_html and
        truncatewords_html template filters, which were thus vulnerable.
    
        The regular expressions used by Truncator have been simplified in
        order to avoid potential backtracking issues. As a consequence,
        trailing punctuation may now at times be included in the
        truncated output.
    
      * CVE-2019-14233: Prevent a possible denial-of-service in strip_tags().
    
        Due to the behavior of the underlying HTMLParser,
        django.utils.html.strip_tags() would be extremely slow to
        evaluate certain inputs containing large sequences of nested
        incomplete HTML entities. The strip_tags() method is used to
        implement the corresponding striptags template filter, which was
        thus also vulnerable.
    
        strip_tags() now avoids recursive calls to HTMLParser when
        progress removing tags, but necessarily incomplete HTML entities,
        stops being made.
    
        Remember that absolutely NO guarantee is provided about the
        results of strip_tags() being HTML safe. So NEVER mark safe the
        result of a strip_tags() call without escaping it first, for
        example with django.utils.html.escape().
    
    For Debian 8 "Jessie", these has been fixed in python-django version
    1.7.11-1+deb8u7.
    
    We recommend that you upgrade your python-django packages. You can
    find more information in upstream's announcement:
    
      https://www.djangoproject.com/weblog/2019/aug/01/security-releases/
    
    Thanks to Carlton Gibson et al. for their handling of these issues.
    
    
    Regards,
    
    - -- 
          ,''`.
         : :'  :     Chris Lamb
         `. `'`      This email address is being protected from spambots. You need JavaScript enabled to view it. / chris-lamb.co.uk
           `-
    
    
    You are not authorised to post comments.

    Comments powered by CComment

    LinuxSecurity Poll

    What do you think of the articles on LinuxSecurity?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 3 answer(s).
    /main-polls/24-what-do-you-think-of-the-quality-of-the-articles-on-linuxsecurity?task=poll.vote&format=json
    24
    radio
    [{"id":"87","title":"Excellent, don't change a thing!","votes":"14","type":"x","order":"1","pct":51.85,"resources":[]},{"id":"88","title":"Should be more technical","votes":"4","type":"x","order":"2","pct":14.81,"resources":[]},{"id":"89","title":"Should include more HOWTOs","votes":"9","type":"x","order":"3","pct":33.33,"resources":[]}]["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"]["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"]350
    bottom200

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.